typescript-plugin-css-modules
typescript-plugin-css-modules copied to clipboard
mrmckeb
stylus is relying on outdated/deprecated deps
Describe the bug
One of the dependencies of this project is using an old version of a dep, which is causing npm WARN deprecated to show up on every install.
Namely, stylus relies on css-parse which has been replaced by just css. There has been a PR up for a few months that fixes it, but it seems like the maintainer of stylus is nowhere to be found.
To Reproduce
- Install this package
- You'll see:
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
Expected behavior Shouldn't rely on deprecated packages.
Additional context The quick and dirty solution would be for you to fork stylus and just do a branch install. Otherwise I'm not sure other than playing the waiting-game. Not sure what stylus is used for, perhaps it can be replaced with something smaller/simpler?
Hi @fgblomqvist, sorry for the slow reply.
We use Stylus for processing those files, as we support that alongside Sass, Less, etc.
I was thinking about this today... the best we could do is to make it an optional dependency and import the module only when needed, but TypeScript doesn't work well with asynchronous code in plugins...
I'd be open to other thoughts?
You can see it in use here: https://github.com/mrmckeb/typescript-plugin-css-modules/blob/main/src/helpers/getClasses.ts#L96-L100
All good!
While not super credible, it does feel like Stylus has been discontinued (for now). No release/commits in over 9 months, and even before that, it looks like it was mostly in maintenance mode for a year or so. I don't think it would that far-fetched to just drop support for .styl files in a 4.0 release.
I don't know how many people actually use that format (I've honestly never come across it in the wild, but I obviously haven't seen everything, it clearly has millions of downloads on npm every week). If someone wants to retain support for that format, they could either fork Stylus and keep maintaining it (and send a PR to re-add support here), or try to get someone else to do it.
As with all things open-source, things do come to and end from time to time and I think people understand that.
I emailed the last active maintainer of the project to see if I can get a status update. Will let you know.
Haven't gotten any response yet. Will report back the day (if ever) that I do. Up to you at what point you'd consider it unmaintained 🙃
Just noticed that in the issue I linked above, it was just mentioned that Angular is dropping support for Stylus in v12. So they already made up their minds.
I guess we could make this an optional peer dependency, and document that you need to install Stylus yourself for it to work. Alternatively, we could just provide an example of a custom renderer for Stylus. What do you think @lianapache?
Just an update, we still haven't decided what to do about this.
I've upgraded Stylus today, but that isn't going to help much as the project hasn't been updated in a long time as discussed.
Thanks for the update, hopefully you'll reach a solution sooner or later 🙂
Not yet sorry. I think we'll probably end up dropping it though... especially if it's no longer actively maintained, and there are other solutions available.
@mrmckeb I think it makes sense to drop it and just provide an example of a custom renderer as you suggested earlier
in the meantime, you can bump stylus to 0.55.0, which would resolve the deprecation warning for now.
This is now causing an Audit Failure.
[low] decode-uri-component: decode-uri-component vulnerable to Denial of Service (DoS) (1085054)
typescript-plugin-css-modules>stylus>css-parse>css>source-map-resolve>decode-uri-component
